March 2007 - Developers - lists.phpmyadmin.net

[Phpmyadmin-devel] Revision 10096 (cookie.auth.lib.php)
by Marc Delisle 15 Mar '07

15 Mar '07

Hi, Two things with this revision: 1. Notice: Undefined index: last_access_time in /subversion/trunk/phpMyAdmin/libraries/auth/cookie.auth.lib.php on line 363 2. The last username used appears with some time info, like this: marc: 1173891459

2 2

[Phpmyadmin-devel] locales again ... ;-)
by Sebastian Mendel 15 Mar '07

15 Mar '07

... some day i will have my linux workstation ... ;-) ... or phpMyAdmin will a GUI to make this ... plaese add: $strMysqlLibDiffersServerVersion = 'Your PHP MySQL library version %s differs from your MySQL server version %s. This may cause unpredictable behaviour.'; behaviour? results? or consequences? add an FAQ item? -- Sebastian Mendel www.sebastianmendel.de

2 1

[Phpmyadmin-devel] locale strings again ...
by Sebastian Mendel 14 Mar '07

14 Mar '07

please remove: $strIndexWarningMultiple $strIndexWarningPrimary please add: $strIndexesSeemEqual = 'The following indexes appear to be equal and one of them should be removed:'; thanks! -- Sebastian Mendel www.sebastianmendel.de

1 0

[Phpmyadmin-devel] blank lines after zip extraction
by Marc Delisle 13 Mar '07

13 Mar '07

Hi, I smell a 2.10.0.3 coming for a security issue but I would like to clarify a blank lines problem before releasing. I need your input on https://sourceforge.net/tracker/index.php?func=detail&aid=1679440&group_id=… Marc

1 0

[Phpmyadmin-devel] please add $strFiles = 'Files'
by Sebastian Mendel 13 Mar '07

13 Mar '07

... into trunk thanks alot -- Sebastian Mendel www.sebastianmendel.de

1 0

[Phpmyadmin-devel] new ChangeLog and backported fixes
by Marc Delisle 05 Mar '07

05 Mar '07

Hi, Let's say I fix something in trunk (for 2.11) then backport in branches/QA_2_10 (for 2.10.1). Should I mention the fix in both ChangeLogs ? Marc

2 2

[Phpmyadmin-devel] [PATCH] Add $cfg['ProtectBinary'] = 'hex' feature
by Kornél Pál 05 Mar '07

05 Mar '07

Hi, For some toughts about binary field handling of phpMyAdmin see: http://sourceforge.net/tracker/index.php?func=detail&aid=1611770&group_id=2… This patch implements a $cfg['ProtectBinary'] = 'hex' setting that makes phpMyAdmin handle BINARY and BLOB fields in hex. Note that I recommend to use the $GLOBALS['cfg']['ProtectBinary'] === 'hex' code paths in common.lib.php anyway instead of using $GLOBALS['cfg']['ProtectBinary'] === 'hex'. If you like this patch please apply it to the SVN otherwise comments are welcome. Kornél

1 0

[Phpmyadmin-devel] phpMyAdmin 2.10.0.2 is released
by Marc Delisle 02 Mar '07

02 Mar '07

Hi, The "Month Of PHP Bugs" reveals some PHP vulnerabilities. MOPB-02-2007 (PHP Executor Deep Recursion Stack Overflow) uses phpMyAdmin as an example to show a recursion vulnerability in PHP, for which a protection is provided in version 2.10.0.2. More details will follow on phpmyadmin.net, Security section, PMASA-2007-3. Marc Delisle, for the team

1 0

Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
by Marc Delisle 02 Mar '07

02 Mar '07

Sebastian Mendel a écrit : > Marc Delisle schrieb: >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=a&";}'` >> >> -> URI too long >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=a&";}'` >> >> -> login form >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=1&";}'` >> >> -> URI too long > > works for me: > > deep_recusrion.php > <?php > echo 'register_globals: ' . ini_get('register_globals'); > echo '<hr />'; > echo '<a href="?'; > for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";} > echo '">klick to test protection against 1000+ vars</a>'; > echo '<hr />'; > > if (count($GLOBALS) > 1000) { > die('deep recursion attack'); > } > ?> > > I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS. Marc

2 3

Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
by Marc Delisle 02 Mar '07

02 Mar '07

Sebastian Mendel a écrit : > Marc Delisle schrieb: >> Sebastian Mendel a écrit : >>> Marc Delisle schrieb: >>>> Sebastian Mendel a écrit : >>>>> Marc Delisle schrieb: >>>>>> Sebastian Mendel a écrit : >>>>>>> Marc Delisle schrieb: >>>>>>>> Sebastian, >>>>>>>> >>>>>>>> this part of the patch: >>>>>>>> /** >>>>>>>> + * protect against deep recursion attack CVE-2006-1549, >>>>>>>> + * 1000 seems to be more than enough >>>>>>>> + * >>>>>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html >>>>>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549 >>>>>>>> + */ >>>>>>>> +if (count($GLOBALS) > 1000) { >>>>>>>> + die('possible deep recurse attack'); >>>>>>>> +} >>>>>>>> >>>>>>>> is not reached when I test the attack of MOPB-02, it's the other >>>>>>>> part that protects for this attack. >>>>>>>> >>>>>>>> Do you know in which case this code would trigger? In the case of an >>>>>>>> attempt to override $GLOBALS? >>>>>>> it should trigger if and only if register_globals is on >>>>>> I cannot make this code trigger when register_globals is on, >>>>>> it's always the protection in PMA_arrayWalkRecursive() that triggers. >>>>>> >>>>>> I'm attacking with >>>>>> curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo >>>>>> str_repeat("[a]",20000);'`=1 >>>>>> >>>>>> do you have some other attack in mind? >>>>> this will trigger with >>>>> >>>>> phpmyadmin/?1=1;2=2;3=3;...;100000=100000 >>>>> >>>>> this would also be triggered inside PMA_arrayWalkRecursive() but at this >>>>> point we could have allready iterated over $GLOBALS ... >>>>> >>>>> >>>> Thanks for the clarification. I tried to trigger this (with >>>> register_globals On) >>>> >>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) >>>> {echo "$i=$i;";}'` >>>> >>>> I got: >>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>>> <HTML><HEAD> >>>> <TITLE>414 Request-URI Too Large</TITLE> >>>> </HEAD><BODY> >>>> <H1>Request-URI Too Large</H1> >>>> The requested URL's length exceeds the capacity >>>> limit for this server.<P> >>>> request failed: URI too long<P> >>>> >>>> ========= >>>> >>>> With less values: >>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) >>>> {echo "$i=$i;";}'` >>>> >>>> numeric key detected >>>> -------- >>>> >>>> Ok let's try something else: >>>> >>>> curl http://localhost/phpmyadmin/?`php -r >>>> 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'` >>> curl http://localhost/phpmyadmin/?`php -r >>> 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a;";}'` >> This returns the HTML for the login form. > > uh, of course you have to use & instead of ; if your configuration says so > > curl http://localhost/phpmyadmin/?`php -r > 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'` > > >> Since we are testing the GET parameters, this might be good to test: >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=$i&";}'` >> >> or >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=$i&";}'` >> >> both return "URI too long". > > > as above, replace the second $i with a or 1 or ... > > curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'` -> URI too long curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'` -> login form curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'` -> URI too long

1 0